This document discusses integrating DevOps and security by bringing development, operations, QA, and security teams together. It outlines where security currently stands, emphasizing the need to change from a "rugged" security model that acts as a bottleneck. The document proposes tactics to scale security through empathy, automation, and feedback loops. Specific tactics include integrating security into defect tracking, preventative controls, deployment pipelines, monitoring, and emphasizing that security says "we could do it this way" rather than only saying no. The overall goal is to improve security while making work easier.

1. Integrating DevOps and
Security

2. $whoami
• Independent consultant
• Ethical hacking
• Organising security
• Building applications
• Twitter: @ddccffvv

3. Goals
Improving security
Bringing dev/ops/QA/… and security
together
Making your life better

4. Part 1
Where are we now?

5. zuckerberg slide

6. IT is changing

8. We’re only getting started

9. Increasingly dependent

10. Rising importance
of security

11. Part 2
Bringing everyone together

12. zuckerberg slide

13. zuckerberg slide

14. Uncertainty is a threat

16. Rugged
DevOps
security

17. Security is the infrastructure team before DevOps
Does not like risks (change)
Tries to keep control
Bottleneck

18. How did we solve this
before?

19. 1) Empathy
2) Automate
3) Feedback loops

20. “We found that blockages at the end
of the project were much more
expensive than at the beginning - and
InfoSec blockages were among the
worst”
Justin Arbuckle

21. “By having Infosec involved throughout
the creation of any new capability, we were
able to reduce our use of static checklists
dramatically and rely more on using their
expertise throughout the entire software
development process.”
Justin Arbuckle

22. Message to infosec
people:

23. Don’t (only) say no!

24. Say: We could do it this way…

26. Part 3
Tactics (to scale)

27. 1) Empathy
2) Automate
3) Feedback loops

28. Defect Tracking & Post Mortem
Security issues in work tracker:
Visibility ++
Priorities ++
Security issue -> post mortem
Rework - -
Team knowledge ++

29. Preventive security controls
Provide security libraries or services that
every modern application or environment
requires
Place them in a central location, easily
accessible to anyone

30. Preventive security controls
• libraries/configs
• secret management
• OS packages/builds

31. Security in deployment pipeline
Automate as many security tests as
possible so that they run alongside other
tests in our deployment pipeline.

32. Security in deployment pipeline
• Static scanning
• Dynamic scanning
• Sad path

33. A word about false positives
versus

35. Security of software supply chain
“The typical organization uses 18,614
external software parts. Of those
components being used, 7.5% had known
vulnerabilities, with over 66% of those
vulnerabilities being over two years old
without having been resolved.
Sonatype 2015 State of the software supply chain report

36. Security and monitoring
How do you know if you’ve been
compromised?

37. Security and monitoring
“Year after year, in the vast majority of
cardholder breaches, organisations
detected the security breach months or
quarters after the breach occurred. Worse,
the way the breach was detected was not
an internal monitoring control, but was far
more likely someone outside of the
organization”
Marcus Sachs (Verizon data breach researcher)

38. Security and monitoring
• Set up central monitoring and make it
easy to use
• Application level
• Environment

39. Security and monitoring: etsy example
• abnormal process terminations
• internal server errors (500)
• database syntax error
• indication of sql injection attacks (UNION
ALL)

41. “Nothing helps you understand how hostile
the operating environment is than seeing
your code being attacked in real-time.”
Nick Galbreath

42. 1) Empathy
2) Automate
3) Feedback loops

43. Questions and discussion